Viewstate seems to be hijacked inadvertently
- by dvr
Hi,
we are using asp.net 2.x, we use session state stored in sql server, 2 web servers in loadbalance, iis6.
our issue is that in the last 3 months we have had 2 cases where some one using our enquiry form has seen someone else's info e.g. first name and last name. We are not populating the form from objects in session so I have come to the conclusion that the second user has somehow received the viewstate from the first user, after that user has tried to submit and got an error e.g. has posted view state and returned the the same page and the other user has requested that page at the same time (must have been on the same server I am guessing if it is a viewstate issue).
have any of you experienced this before? some questions mulling around in my head is how does the worker process know to retun view state to a unique request and how does it determine a unique request etc..